Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?

Peter Gutmann <> Mon, 30 November 2015 01:26 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 188AF1B3DAA for <>; Sun, 29 Nov 2015 17:26:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.785
X-Spam-Status: No, score=-4.785 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7R1rV6iAFdsB for <>; Sun, 29 Nov 2015 17:26:18 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 35BDD1B3DA8 for <>; Sun, 29 Nov 2015 17:26:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=mail; t=1448846778; x=1480382778; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=2PJMoG09jl1lsm2RjuK1PnA7gH+V5u1m3Oe8O8U1Hi8=; b=eVJKZdo272cR37wbryqnqh5Rmk6WLPD49Xyh6rsNukx2+J8gxd3R/h02 VdMtBaB4CQkmqXgwrwj6EBsb33tNmS5aRXzyEKIrrlo96hbTNX7qavEX2 i0mW0+9W+TthIbsapCg1BIpj3JMjVzvOs4nDoKXkZeMjDlCCiQczogvIr UBfuqSoqT5fIeLrdBFqHrKY8IidAmJEVfnrNeIp7SGJ3sqWmQi8W38lgX 4OxE4027az159jqeGV8gBcsXwn7IpPz1A9B/Yd5XSFL7ymwTTZkRiZkUp o4sxoTb4kolKjaELK7wUV+OnsRo8Wu9BXyOKjKijpVnFadrqJKYBlBlng w==;
X-IronPort-AV: E=Sophos;i="5.20,361,1444647600"; d="scan'208";a="56726074"
X-Ironport-Source: - Outgoing - Outgoing
Received: from (HELO ([]) by with ESMTP/TLS/AES256-SHA; 30 Nov 2015 14:26:15 +1300
Received: from ([]) by ([]) with mapi id 14.03.0266.001; Mon, 30 Nov 2015 14:26:15 +1300
From: Peter Gutmann <>
To: Bryan A Ford <>, "" <>
Thread-Topic: [TLS] Encrypting record headers: practical for TLS 1.3 after all?
Thread-Index: AQHRKSDnEzBCXT12GkOsH7hTugsdcp6xSadegACXeACAAeiXew==
Date: Mon, 30 Nov 2015 01:26:15 +0000
Message-ID: <>
References: <> <>, <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 30 Nov 2015 01:26:22 -0000

Bryan A Ford <> writes:

>Feel free to attack my proposal but then please attack *my* proposal, not 
>the old broken SSH approach.

I was actually commenting on the concept of encrypting headers in general,
not the specific case you'd given.  That is, I assumed you'd specifically 
chosen the one case where it's practical, an AEAD stream cipher, and used
that as a strawman.  Re-reading your post, it looks like "adding a stream
cipher to every TLS 1.3-compatible ciphersuite" should really be "require
that the only cipher type allowed for TLS be an AEAD stream cipher", 
because it's not going to work with anything else.

This breaks a fundamental principle of TLS, that you can drop in any 
algorithm or mechanism you like (well, within reason) and it'll still work.  
More importantly, if a flaw is found in one mechanism, you can switch to 
another.  In the past we've been able to switch between a KSG cipher (RC4), 
64-bit block ciphers, 128-bit block ciphers, and AEAD ciphers as required.
With this change, it looks like the only choice you have is an AEAD stream

In addition, it doesn't actually achieve what you think it does, I'll 
expand on that in a separate message in reply to another post.